An introduction to ISO27001
What is an ISMS?
An Information Security Management System (ISMS) is the people, systems, technologies, and processes that all come together to protect an organisation's information. An ISMS may encompass an entire organisation or a selection of information assets. Which people, systems, technologies and processes are in scope of the ISMS is always derived from the information that the ISMS intends to protect.
This is why in Tidal, one of the first steps you will do is to determine which information you're trying to protect, and then derive the scope of people, systems, technologies, and processes. This also means that you can obtain ISO27001 certification with a subset of the organisation's employees and IT systems!
What is ISO27001?
ISO/IEC 27001, commonly referred to as ISO27001, is an international standard designed to help organisations manage the security of their information assets. The standard was developed by the International organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS.
The primary objective of ISO27001 is to protect the confidentiality, integrity, and availability of information by applying a risk management process. It ensures that an organisation has in place the necessary controls and policies to mitigate risks and safeguard sensitive data from unauthorised access, breaches, and other forms of cyber threats.
Why do organisations pursue ISO27001 certification?
-
Competitive Advantage: Achieving ISO27001 certification demonstrates to customers and stakeholders that an organisation takes information security seriously. It builds trust and confidence in the organisation's ability to protect sensitive data. In a competitive market, ISO27001 certification can be a differentiator.
-
Regulatory Compliance: Many industries are subject to regulatory requirements that mandate the protection of sensitive information. ISO27001 helps organisations comply with these regulations by providing a comprehensive framework for information security management.
-
Business Resilience to Cyberattacks: ISO27001 ensures that organisations have a structured approach to managing security incidents and recovering from disruptions. This enhances the organisation's resilience and ability to maintain operations in the face of cyberattacks or other crises.
The Certification process
Certification can only be conducted by accredited certification bodies. These organizations are recognised for their competence, impartiality, and performance capability.
Certification audit
The certification audit is conducted in two stages by the chosen certification body:
Stage 1 Audit (Document Review):
The auditors review your ISMS documentation to ensure it aligns with ISO27001 requirements. This includes verifying that all necessary documents are in place and that the ISMS is appropriately designed.
Stage 2 Audit (On-Site Assessment):
The auditors visit your organization to assess the implementation and effectiveness of the ISMS. This involves interviews with staff, observation of processes, and examination of records to confirm that the ISMS operates as intended.
Certification decision
Based on the findings of the Stage 2 audit, the certification body makes a decision. If your ISMS meets ISO27001 requirements, you will be awarded the ISO27001 certification. If too many non-conformities are found you must address them before certification can be granted.
Successful completion of the audit results in the award of ISO27001 certification, which is valid for three years, with annual surveillance audits to ensure continued compliance.
Surveillance Audits
ISO27001 certification is not a one-time event. To maintain certification, your organization must undergo regular surveillance audits, typically annually, conducted by the certification body. These audits ensure that the ISMS continues to operate effectively and that continual improvement processes are in place.
Recertification
Every three years, a recertification audit is required to renew the ISO27001 certification. This comprehensive audit reassesses the entire ISMS to ensure ongoing compliance and effectiveness.